Friday, February 22, 2008

Hooray! Firefox 3 fixes some JavaScript Malware

Today I decided to give the recently released Firefox 3 beta 3 a try because it looks like it has some slick new features. Also there seemed to be a rather large emphasis on security and many of us have been waiting patiently to see how and when Mozilla would address JavaScript malware. According to the release notes much of the newly added security features are directed towards Anti-Phishing, Anti-Malware, and more user friendly SSL. Noble pursuits that I’m sure add value, just not what I’m personally into.

7 comments:

There is another small security improvement: the single quotation marks are now escaped in URLs in the same way it already happened for double quotation marks. This should stop quite a few XSS vectors.

And you can no longer set document.domain to a TLD like "com" or "co.uk" - quite a bunch of popular web sites were careless with document.domain and took a value for it from the URL.

Wow, nice find. Firefox has changed in terms of it's superior "Security". Haha, I bet Ronald will get a kick out of this release! Nice post Jeremiah, but they have a long way to go until Firefox becomes more stable in relation to web security.

Another enhancement (it's in bugzilla, but not sure it's documented elsewhere) is FF3 now has document.domain restrictions on file:// URLs to prevent file:// from having access to entire system/shares (I think it limits effective document.domain to current directory).

This prevents the excessive file:// based trust that allowed Windows based file:// XSS hijacks to do full drive browsing, access other drives on system as well as SMB share invocation with UNC (file://///hostname/share, file://///ip.ip.ip.ip/share or admin shares).

I seem to recall they didn't do this with XSS hijack control in mind (ala my Sage + XSS-Proxy stuff), but it prevents that as well.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!